Posts Tagged ‘Directory Services Restore Mode’

Learn the Basics of Directory Services Restore Mode

June 20th, 2013 by Admin

Directory Services Restore Mode (DSRM) is a special boot option similar to Safe Mode in Windows. But this mode is only applicable to Windows Server domain controllers and it is used to restore or repair an Active Directory database. If there is a need to repair or restore Active Directory database, DSRM has to be used. Restarting in Directory Services Restore Mode takes the domain controller offline, meaning it functions as a regular server, not as a domain controller.

Boot into Directory Services Restore Mode

If you have physical access to a domain controller, you can access the Directory Services Restore Mode easily. Simply turn on or restart the computer and press F8 prior to the machine booting into Windows, the system will display the Advanced Boot Options.

dsrm

Choose the Directory Services Restore Mode from the menu and press Enter. The server will then boot into Directory Services Restore Mode.

Directory Services Restore Mode Password

Generally when you run the DCPROMO command to promote an individual server to a domain controller, the install wizard will prompt you to set a Directory Services Restore Mode password. This password is actually for the built-in local administrator account. In order to boot into Directory Services Restore Mode, you need to use the local administrator account along with the DSRM password to get past the Windows logon screen.

It is very important to know what the DSRM password is. The DSRM password provides the administrator with a back door to boot into Directory Services Restore Mode for performing maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

The DSRM password should be changed on a regular basis. Because the DSRM password can be used to log on in Directory Services Restore Mode, and in this mode the tasks that can be performed are significant, an exploit of the DSRM account can be extremely detrimental to your AD DS forest.

But what to do if you forgot the DSRM password? In the event a DSRM password is forgotten, you can change or reset it easily by using the tricks described in this article: How to Change or Reset DSRM Administrator Password.

How to Access the Directory Services Restore Mode on a Remote DC

October 15th, 2012 by Admin

When Active Directory (AD) isn’t working, the steps you’d typically follow would be to boot into Directory Services Restore Mode (DSRM) for repairing or recovering Active Directory. To access Directory Services Restore Mode, you typically press F8 prior to the machine booting into Windows, then select the Directory Services Restore Mode option from the menu that appears.

Tips: If you forgot DSRM password or domain admin password, you can reset the forgotten password easily with Reset Windows Password utility.

But sometimes you need to fix a problematic DC in a remote location, but nobody is close enough to troubleshot. Obviously, you can’t boot the domain controller into DSRM as usual. In this tutorial we’ll show you how to access Directory Services Restore Mode on a remote DC.

How to Access Directory Services Restore Mode on a Remote DC?

  1. On your machine, select Run from the Start menu, type Mstsc /console, and click OK.
  2. Type the IP address of the remote domain controller you want to connect to.
  3. Log on to the server using the Active Directory account.
  4. On the DC, right-click My Computer, click Properties, and then click the Advanced tab.
  5. Click Settings for startup and recovery.
  6. Click the Edit button to edit the startup options file.
  7. Modify the default entry to include the /SAFEBOOT:DSREPAIR switch, as shown in the following example:multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\ your server name " /fastdetect /SAFEBOOT:DSREPAIR
  8. Save the modified Boot.ini file, and then close Notepad.
  9. Restart the domain controller.
  10. After waiting a few minutes, perform steps 1 and 2 again.
  11. When you reconnect, the server should state that it’s in Directory Services Restore Mode. Log on using the Local Administrator account (not the Active Directory account).

Once you have restarted the server in Directory Services Restore Mode, you are ready to begin the repairing or recovery process.

How to Reset Forgotten Directory Services Restore Mode Password in Active Directory

September 29th, 2012 by Admin

Certain tasks in Active Directory require that you start the domain controller without Active Directory running. These include restoring the database from backup, moving the database, and performing an offline defragmentation of the database. When you start the domain controller and Active Directory is not running, you must log on as the Directory Services Restore Mode (DSRM) account. The password for this account is set when you install Active Directory. The problem is, many people set this password weeks or months ago, and when it comes time to use it, they can’t remember what it is. Does this sound familiar?

Here we’ll show you an easy way to reset forgotten Directory Services Restore Mode password in Active Directory 2008/2003/2000. Reset Windows Password utility can run on a CD or USB flash drive and help you remove Directory Services Restore Mode password without logging in to Active Directory.

How to Reset Forgotten Directory Services Restore Mode Password in Active Directory?

  1. Download the Reset Windows Password utility. Unzip the download file and you’ll get a ResetWindowsPwd.iso file.
  2. Burn the ISO image file to a blank CD using any burning program (we recommend BurnCDCC) that can burn ISO images.
  3. After you have the Live CD, bring it to boot off your domain controller whose password you want to reset. You’ll see that the computer will load some files inside the Live CD and launch the Reset Windows Password utility.

  4. Click on the Reset Local Admin/User Password option, then choose the Windows SAM database from the drop-down list. It will display the local user accounts and you can find which account is password-protected.
  5. Choose the administrator account and then click on the Reset Password button, it will blank your Directory Services Restore Mode password immediately.
  6. Now remove the Live CD and restart the computer, you can then log in to the Directory Services Restore Mode (DSRM) account with a blank password.

As it’s shown in the steps above, you can also click the Reset Active Directory Password option to unlock your domain user password if you forgot domain admin/user password.